b'                PERSONNEL FILES\n                                SUMMARY\nWe found that the Office of Human Resources (OHR) has taken several steps to\nimprove controls over official personnel files. OHR has relocated the file room,\ninstalled a cipher lock, and put a sign on the door limiting access.\nWe are recommending several additional steps, including guidance on\nsigning-out and safeguarding files being used, periodic inventories of files,\nand storing certain records electronically.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\nOur objectives were to follow-up on our prior recommendations on personnel files (in\nAudit No. 338, issued August 13, 2001), and to identify further improvements. We\ninterviewed OHR staff, and reviewed a judgment sample of 21 personnel files, 22\ncharge-out cards, and 28 personnel actions (on form SF-50) processed between April\nand May 2006.\nWe conducted this inspection under the Quality Standards for Inspections (dated\nJanuary 2005) issued by the PCIE/ECIE.\n\n\n\n                           BACKGROUND\nThe Office of Human Resources (OHR) maintains an official personnel file (OPF) for\neach Commission employee. This file documents significant information about an\nemployee during the employee\xe2\x80\x99s federal employment (e.g., appointment, promotion,\nsalary increase, transfer, or separation). The file contains sensitive personally\nidentifiable information about employees, including but not limited to Social\nSecurity Numbers. The file is in the custody of the current employing agency, but\nthe Office of Personnel Management (OPM) owns it.\nOPM has issued a Guide to Personnel Record Keeping (Guide) which agencies must\nfollow in maintaining their personnel files. OPM has established security\nrequirements and retention standards for the permanent records in the personnel\nfile. For example, agencies should secure personnel records against unauthorized\naccess by keeping them in locked metal file cabinets or in a secure room.\nOPM categorizes documents in the personnel file as either long term or temporary.\nLong-term records include official personnel actions (on Standard Form 50), the\nemployee\xe2\x80\x99s application for employment, and coverage determinations for health and\nlife insurance. These documents protect the legal and financial rights of the\nGovernment and the employee.\n\x0c                                                                                        2\n\nOPM requires all long-term records to be placed on the right side of the personnel\nfile in chronological order by the effective date, with the most recent document on\ntop. Long term records are retained for the life of the file, normally 115 years from\nthe employee\xe2\x80\x99s date of birth.\nOPM requires temporary records to be placed on the left side of the file. These\nrecords include offer letters, requests for personnel actions (SF-52), employee\naddress forms, and other employee-related personnel documents.\nHowever, when an employee leaves an agency, the left side of the personnel file\nmust contain only the temporary documents authorized by OPM. These include the\nRecord of Leave Data (SF-1150), documentation of indebtedness to health benefits\nfunds, and four years of performance records.\nAgencies can maintain most personnel documentation electronically, if they obtain\nprior approval from OPM (under Section 1-12 of the Guide). Exceptions include\nforms designating a beneficiary for group life insurance and retirement benefits, and\ndocumentation of periods of employment not under OPM record keeping procedures.\n\n\n\n                         Inspection Results\nWe found that OHR has improved its controls over personnel files, in response to our\nprior audit. The steps it has taken are described below, together with our\nrecommendations for further improvements.\nFile Room Security\nOHR has moved personnel files to a more secure room, and installed a cipher lock on\nthe door of the room. The room is kept locked, and a sign restricts access to\nauthorized personnel. A shredder in the room was moved to an alternate location\n(reducing the need to enter the room).\nFiling of Personnel Documentation\nOur prior review found that seven of 308 sampled personnel action forms (SF-50s)\nwere not filed timely (the forms were dated four months prior to our test). In our\ncurrent review, all 10 of the forms we selected which required filing were placed\ntimely in the personnel file (our sample included 11 forms which did not require\nfiling).\nFile Charge-out\nOHR uses blue sign-out cards to track personnel files while they are in use by OHR\nand other Commission staff. The sign-out card contains the employee\xe2\x80\x99s name and\nSocial Security Number.\nThe person taking the file writes his or her name on the card and the charge-out\ndate. The card is then placed in alphabetical order in a separate file for sign-out\ncards. Files are supposed to be returned within two weeks.\nDuring our prior review, we found that one file of a sample of 45 was not available,\nand a sign-out card had not been properly filed. We also identified one instance in\nwhich an employee signed out a file for several months.\n\n\nPersonnel Files (Inspection No. 419)                                September 29, 2006\n\x0c                                                                                      3\n\nFor this review, we selected a judgment sample of 22 charge-out cards. We found\nthat 12 of the files had been charged out longer than two weeks (from 15 to 312\ndays). Six charge-out cards did not have a charge-out date indicated, so we could not\ndetermine how long these files were in use (one of these six also lacked the user\xe2\x80\x99s\ninitials).\nWe also selected a judgment sample of 21 personnel folders to determine if they were\nreadily available. We found that 14 of the files were available (i.e., a signed charge-\nout card was on file).\nThe other 7 files did not have a signed charge-out card. To locate these files, OHR\nhad to query its staff.\n              Recommendation A\n              OHR should remind its staff of the requirements for charging-out\n              personnel files and conduct periodic inventories of the files.\n\n\nAccording to OPM guidance, agencies should secure personnel records against\nunauthorized access at all times by keeping them in locked metal file cabinets or in a\nsecure room when not in use. When a file has been charged out, it needs to be locked\nup when the employee is not at his or her desk (e.g., at the end of the work day).\n\n              Recommendation B\n              OHR should provide guidance to its staff on the requirements for\n              storing charged-out personnel files, and ensure the staff have a locked\n              cabinet available for these files.\n\n\nElectronic Personnel Records\nAs stated in the Background, agencies can store most personnel records\nelectronically, after approval by OPM. Electronic records must also meet the\nNational Archives and Records Administration\xe2\x80\x99s standards.\nThis option is worth exploring (e.g., it would reduce the administrative burden of\nmanually filing personnel action forms, and save space).\n\n\n              Recommendation C\n              OHR should consider requesting approval from OPM to store certain\n              records (e.g., SF-50 personnel action forms) electronically.\n\n\n\n\nPersonnel Files (Inspection No. 419)                               September 29, 2006\n\x0c'